Fix BitLocker Cannot Encrypt the System Drive on Windows 11
🔍 WiseChecker

Fix BitLocker Cannot Encrypt the System Drive on Windows 11

by

Quick fix: BitLocker system drive encryption requires TPM 2.0 active and Secure Boot enabled in BIOS. Check tpm.msc for TPM status. Settings → System → About → Advanced system settings → verify Secure Boot State. For Windows 11 Home: no BitLocker (only Device Encryption for limited use). For Pro/Enterprise: enable BitLocker via Control Panel → BitLocker Drive Encryption.

You try to enable BitLocker on C: drive. Get error or no option. Cause: hardware doesn’t meet requirements (TPM, Secure Boot, edition mismatch), or BitLocker policy disabled. Fix: verify each requirement.

Symptom: Can’t enable BitLocker on system drive; option missing or error during encrypt.
Affects: Windows 11 Pro/Enterprise with BitLocker.
Fix time: ~20 minutes.

ADVERTISEMENT

What causes this

BitLocker requires specific hardware/firmware: TPM 2.0 (Trusted Platform Module) for key storage. Secure Boot enabled for boot integrity. UEFI firmware (not legacy BIOS). Windows 11 Pro or Enterprise edition (Home gets only limited Device Encryption). All four must align.

Method 1: Verify hardware/firmware prerequisites

The first check.

  1. Run tpm.msc. TPM Management opens.
  2. Verify TPM is Ready. Specification Version 2.0 (1.2 may work for Pro but TPM 2.0 is required for some BitLocker features).
  3. If TPM not present: enable in BIOS. Reboot, enter BIOS (F2/Del). Look for “TPM,” “PTT” (Intel), or “fTPM” (AMD). Enable.
  4. Verify Secure Boot: Settings → System → About → Advanced system settings shows “Secure Boot State: On.” Or run msinfo32 → Secure Boot State.
  5. If Off: enable in BIOS → Boot → Secure Boot → Enable. May need to disable CSM/Legacy first.
  6. Verify Windows edition: Settings → System → About. Must be Windows 11 Pro, Enterprise, Education. Home gets only basic Device Encryption.
  7. For Home users: upgrade to Pro via Settings → Activation → Change product key (cost ~$100).

This handles prerequisite mismatch.

ADVERTISEMENT

Method 2: Enable BitLocker via Control Panel

The standard route.

  1. Open Control Panel. Click BitLocker Drive Encryption.
  2. For C: drive: click Turn on BitLocker.
  3. BitLocker setup wizard. Choose how to unlock:
    • USB flash drive: stores key on USB.
    • Password: enter password to unlock at boot.
    • PIN: short numeric PIN at boot (most common).
  4. Save recovery key: save to Microsoft account (recommended), print, save to file. Don’t skip this.
  5. Choose encryption type: Encrypt used disk space only (faster) for new drives, Encrypt entire drive for drives with sensitive data.
  6. Run BitLocker system check (recommended). Reboot when prompted.
  7. Encryption starts in background. Takes 1–8 hours depending on drive size.
  8. Verify: BitLocker icon appears on C: drive in File Explorer. manage-bde -status C: shows status.

This is the standard activation.

Method 3: For Home edition — use Device Encryption

For Windows 11 Home users.

  1. Open Settings → Privacy & security → Device encryption.
  2. If “Device encryption” section is visible: toggle on.
  3. Caveat: requires the PC to support Modern Standby. Most newer laptops do.
  4. For PCs that don’t show Device encryption option: hardware doesn’t support it. Upgrade to Pro for full BitLocker, or accept no encryption.
  5. For VeraCrypt as alternative: free, opensource, doesn’t require TPM. Works on Home. Less integrated than BitLocker but secure.
  6. VeraCrypt encrypts container files or entire drives. Manual decryption (enter password) on boot.

This is the right path for Home edition.

How to verify the fix worked

  • Control Panel → BitLocker Drive Encryption: shows C: as “BitLocker on.”
  • Run manage-bde -status C: in Terminal: shows Encrypted (or Encrypting if in progress).
  • Boot: BitLocker prompts for PIN/password (if configured) before Windows loads.

If none of these work

If BitLocker still fails: TPM not initialized: tpm.msc → Initialize TPM. Some PCs have TPM cleared. Group Policy disabling BitLocker: gpresult /h C:\result.html → look for BitLocker policies. For PCs with TPM 1.2 only: BitLocker works but limited. Some Group Policy enforcement of TPM 2.0 blocks it. Adjust Group Policy in gpedit.msc → Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives. For dual-boot PCs: BitLocker plays poorly with dual-boot. Each Windows install needs separate encryption. Consider single-OS or accept reduced security. For SSDs with hardware self-encryption (SED): BitLocker can use hardware encryption. Faster but verify drive’s SED implementation is OPAL-compliant for compatibility.

Bottom line: BitLocker needs TPM 2.0 + Secure Boot + Pro/Enterprise edition. Enable in BIOS if missing. Pro/Enterprise: Control Panel → BitLocker Drive Encryption → Turn on. Home: use Device Encryption or VeraCrypt.

ADVERTISEMENT

← Back to WiseChecker HomeMore in Windows & PC

🔍 Recommended for You